Local File Inclusion (LFI) can occur within an application when input can affect what file is “included”. If the contents of a file are displayed, this could provide the attacker the opportunity to view files (maybe even sensitive ones) within the file system.
Example
Consider the following HTTP request to display a list of movies:
https://example.com/movies?file=favorites.txtThis request clearly indicates that based on the request, the service retrieves the text file and displays or parses it.
From an attacker’s perspective, it could be modified to read any file accessible by the service:
https://example.com/movies?file=../../../../../../etc/shadowThis accentuates why it is important to restrict permissions of services.
Some pages may use the name to construct the filename. Taking our previous example, the app may instead use the following request to read favorites.txt:
https://example.com/movies?file=favoritesEven this presents an issue because any text file can now be read.
This is another classic example of changing behavior using available inputs.